Family businesses face many cybersecurity challenges. Learn how you can protect your company.
Cybersecurity is a hot topic among family offices, and for good reason. The American Institute of Certified Public Accountants (AICPA) reported in 2015 that 25% of Americans have been victims of information security breaches in the last year, which is double the rate of the prior year.1 Verizon reported in 2012 that 71% of cyber attacks occur at firms with fewer than 100 employees,2 while the National Cyber Security Alliance states that small businesses that get hacked have a 60% chance of going out of business within six months.3
Most people admit to being concerned about cybersecurity, but at the same time, do not understand it or know what they should do about it.
Why should a family be concerned about potential cyber intrusions? At its core, there are three key concerns:
- Theft. Someone might access bank, credit, investment or other financial accounts. Even if the family refuses to use online banking, their money may be at risk through phishing attacks, automatic teller machine (ATM) fraud or someone accessing their information at the IRS.
- Privacy. Hackers may harm the family reputation (or its business) by revealing details about the family wealth, while thieves may use information to plan a robbery or kidnapping.
- Maliciousness. Just as teenagers might spray-paint graffiti on a building, hackers may access data or websites just to delete or destroy data, or perhaps to redirect users to a different website. This may cost the family privacy, in addition to the cost of repairing the websites.
Ten steps toward family office cyber protection
With so many risks, and knowing that most wealthy family members have very little patience for security and restrictions, we have developed a 10-point plan that family offices can use to protect the family’s technology. This plan is designed to be reasonable for the family, while limiting their exposure to the most common threats. Some high-profile families may choose to exceed these recommendations.
1. Technology inventory
The family office should maintain an inventory of routers (don’t forget those at each family member’s house), computers, tablets, phones and other devices. The office needs to maintain these devices and make sure that each one has updated antivirus, firewall and similar software.
As part of the maintenance, the office should make certain that software on the systems, such as operating systems, Microsoft Office, browsers and accounting tools, is kept current. In addition, the inventory should track databases and the types of data contained therein. Most important are databases with client information, but also anything that thieves can exploit.
2. Written cyber policy
Family offices should have a written cyber-protection policy, including a connected-device policy, a password policy, social-media policy and payment-authorization policy. Families rarely have penalties for violating these policies, but by writing them down, communicating them and providing education, the family understands and thinks about their behavior.
3. Cybersecurity insurance policy
If the family office oversees family businesses, blog sites or foundations with websites, they should consider cybersecurity insurance. Such policies can cover:
- Liability for loss of data, such as client personal data or credit card details
- Remediation costs, such as investigation, notification and repairs
- Settlement costs, such as client-monitoring services, payments or regulatory fines
4. Vulnerability assessment
Vulnerability assessments identify the weaknesses in a system. For a family office, this should include the family office, businesses overseen by the office (including a foundation office) and each family member’s home systems. Most offices lack the expertise to conduct these assessments internally, and thus contract with an outside vendor. Such assessments should be conducted at least annually.
5. Encryption tools
If confidential information is sent in standard emails, the data passes through the internet and could be intercepted and read by hackers. One way to prevent this is to use email encryption tools. These tools encode the message before it is sent, and the receiver has a similar tool to decrypt and read the secure message. If someone intercepts the message, it will be indecipherable unless they have the proper decryption tool.